Skip site navigation (1) Skip section navigation (2)

Re: SELinux & Redhat

From: Jeff - <threshar(at)torgo(dot)978(dot)org>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-docs(at)postgresql(dot)org
Subject: Re: SELinux & Redhat
Date: 2005-05-06 15:46:26
Message-ID: 6CD32D5F-B466-4E6D-9E73-CFB8957B396F@torgo.978.org (view raw or flat)
Thread:
Lists: pgsql-docspgsql-performance
On May 6, 2005, at 11:23 AM, Tom Lane wrote:

> Jeff - <threshar(at)torgo(dot)978(dot)org> writes:
>
>> Eventually we found it was SELinux was preventing pg_dump from
>> producing output.
>>
>
> That's a new one on me.  Why was it doing that --- mislabeling on
> the pg_dump executable, or what?
>

We've got a stock CentOS 4 install
I nabbed the rpms I mentioned (8.0.2) (-rw-r--r--  1 root root  
2955126 May  4 11:51 postgresql-8.0.2-1PGDG.i686.rpm & company)

from /etc/selinux/targeted/contexts/files/file_contexts I see

file_contexts:/usr/bin/pg_dump  --       
system_u:object_r:postgresql_exec_t
file_contexts:/usr/bin/pg_dumpall       --       
system_u:object_r:postgresql_exec_t

Syslog logs:

May  6 09:01:25 starslice kernel: audit(1115384485.559:0): avc:   
denied  { execute_no_trans } for  pid=4485 exe=/bin/bash path=/usr/ 
bin/pg_dump dev=sda3 ino=5272966  
scontext=user_u:system_r:postgresql_t  
tcontext=system_u:object_r:postgresql_exec_t tclass=file


SELinux is on and under system-config-securitylevel's selinux tab,  
"SELinux Protection services" disable postgresql is not clicked.

When I run pg_dump w/these settings the following happens running  
pg_dump (.broken is hte original file from the rpm)

bash-3.00$ /usr/bin/pg_dump.broken planet
bash-3.00$

Stracing it I get
....
write(1, "file_pkey; Type: CONSTRAINT; Sch"..., 4096) = 4096
write(1, "\n-- Name: userprofile_pkey; Type"..., 4096) = 4096
write(1, "_idx_1 OWNER TO planet;\n\n--\n-- N"..., 4096) = 4096
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_DFL}, 8) = 0
send(3, "X\0\0\0\4", 5, 0)              = 5
rt_sigaction(SIGPIPE, {SIG_DFL}, {SIG_IGN}, 8) = 0
close(3)                                = 0
write(1, "me: top3_cmtcount_idx; Type: IND"..., 3992) = 3992
munmap(0xb7df0000, 4096)                = 0
exit_group(0)                           = ?


and what is interesting is it seems only sometimes things get logged  
to syslog about the failure.

If I copy the file (not mv) it will work (possibly due to xattrs  
being set?)

and if I disable pg checking, (or selinux all together) it works.


COOL, HUH?

--
Jeff Trout <jeff(at)jefftrout(dot)com>
http://www.jefftrout.com/
http://www.stuarthamm.net/





In response to

Responses

pgsql-docs by date

Next:From: Tom LaneDate: 2005-05-06 15:57:47
Subject: Re: SELinux & Redhat
Previous:From: Alvaro HerreraDate: 2005-05-06 15:42:38
Subject: Re: SELinux & Redhat

pgsql-performance by date

Next:From: Tom LaneDate: 2005-05-06 15:57:47
Subject: Re: SELinux & Redhat
Previous:From: Alvaro HerreraDate: 2005-05-06 15:42:38
Subject: Re: SELinux & Redhat

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group